From infra admin's point of view Web services From infra admin's point of view
Web services The World Wide Web (abbreviated WWW or the Web) is an information space where documents and other web resources are identified by Uniform Resource Locators (URLs), interlinked by hypertext links, and can be accessed via the Internet. Components: web server, web client, protocols Idea by Tim-Berners Lee, 1989 Originally the idea of „hypertext” is much much older 1990 first prototype Since 1996 most popular web server software - Apache
Web Server Definition A Web server is a program that generates and transmits responses to client requests for Web resources. Handling a client request consists of several key steps: Parsing the request message Checking that the request is authorized Associating the URL in the request with a file name Constructing the response message Transmitting the response message to the requesting client
Web Server Definition The server can generate the response message in a variety of ways: The server simply retrieves the file associated with the URL and returns the contents to the client. The server may invoke a script that communicates with other servers or a back-end database to construct the response message.
Web site vs. Web server Web site and Web server are different: A Web site consists of a collection of Web pages associated with a particular hostname. A Web server is a program to satisfy client requests for Web resources. HTTP is a protocol „language“ in whitch client and server communicate
Handling client request A Web server proceeds through the following steps in handling an HTTP request: Read and parse the HTTP request message for example GET the resource /foo.htm Translate the URL to a file name for example the resource be located in the base directory such as /www, where the URL http://www.bar.com/foo/index.html corresponds to the file of www/foo/index.html Determine whether the request is authorized Generate and transmit the response that includes header to show the status information
Web architecture
Dynamic responses The documents in the WWW can be grouped into three broad categories: static, dynamic, and active. The category is based on the time at which the contents of the document are determined. Dynamic feature differentiates the Web from earlier file transfer services on the Internet. Dynamically generated responses are created in a variety of ways: Server-side include Server script Most of the web nowdays is dynamic
SSI A server-side include instructs the Web server to customize a static resource based on directives in an HTML-like file.
Server Script A server script is a separate program that generates the request resource. The program may run as Part of the server A separate process The main role of the Web server is To associate the requested URL with the appropriate script To pass data to/from the script The main role of the script is To process the input from the server To generate the content to the client
Active documents Active documents are sometimes referred to as client- site dynamic documents.
Topics to remember The Hypertext Transfer Protocol (HTTP) is a protocol used mainly to access data on the World Wide Web. To get the data client sends request and server responds with data or status message Client request must contain URL URL stands for Uniform Resource Locator, and is used to specify addresses on the World Wide Web. A URL is the fundamental network identification for any resource connected to the web (e.g., hypertext pages, images, and sound files). URLs have the following format: protocol://hostname/other_information. Web pages can be static, dynamic or active
Security HTTP is a PLAIN TEXT protocol We all know what that means Solution: HTTPS HTTPS (also called HTTP over SSL or HTTP Secure) is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer. The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data.
SSL Next slideshow
Some (extra)useful features for Infra admin Return to web services Some (extra)useful features for Infra admin
Web Services – PROXYING, Cacheing Web proxy acts as a sort of L7 sNAT/dNAT It also can act as sort of L7 firewall It can also act as web cache Most common web servers include proxying module sometimes it makes more sense to use dedicated web proxy like haproxy or squid they also cache (though not a topic here) sometimes it easier to use web servers proxy module it depends what requrements you have Big companies prefer commercial web filtering solutions sometimes integrated with firefalls (combine L3 and L7)
What is web cache A web cache (or HTTP cache) is an information technology for the temporary storage (caching) of web documents, such as HTML pages and images, to reduce bandwidth usage, server load, and perceived lag. HTTPS cannot be cached (encryption!)
Technologies behind Proxy/cache can be „transparent” or client side configured „transparent” technology involves a „trickery” DNS records Routes Benefits: no client side configuration needed No user can bypass it (ha-ha!) Negative: HTTP only (most cases) Can cause problems
Types of proxies Forward proxy Reverse proxy They can do: Rewrite (redirect) cacheing SSL offloading Load balancing filtering
Forward proxy Forward proxy forwards requests from client to server. L7 sNAT masquerades client from server. can be used for web filtering, „anonymous“ browsing, cache etc.
Forward proxy Popular in BIG Co.-s Forward proxy with URL filtering Sorta works together with L3 filtering Can do SSL MITM in „controlled environments“ (BigCo.) Bad! Can go agianst a local laws Breaks two way SLL authentication, if not implemented correctly Dangers: misconfigured forward proxy (open-relay) is easily detectable and usable by Black Hats.
Reverse proxy „hides” servers from client L7 dNAT Can be very useful for admin Service aggregation Can be used as L7 „firewall” SSL offloading (good one) Load balancing „patching” (bad one) Commercial proxies are extremely expensive
SSL Offloading Reverse Problem: crypto is „expensive” (in terms of computational power) Certificate management creates administrative overhead Pluses: Reduces server load „enough” secure Minuses: certificate management (SAN, wildcard) Usually used together with load balancing Forward Can not be implemented with 2-way SSL Privacy concerns Breaks things (Skype for example)
Rewrite To rewrite URLs „on the fly” RegExp :( Used to redirect client Very common HTTP to HTTPS Improve usability (shorten URLs) Do not mix up with proxy, they are different things Common misuse: „patching tool”
Exercise In elab (NB! Its elab machine) https://elab.itcollege.ee/ Lab HTTPS security